A few simple questions to see if you are really doing risk management
David Vose
![David Vose]()
David Vose
Director of Vose Software. Risk Consultant. Advisor on quantitative IRM deployment.
Risk managers can have a hard time persuading their company leadership to invest in an enterprise risk management (ERM) system. I was asked how I'd go about making an argument for considering our ERM system, called Pelican.
I proposed the list of questions below. Feel feel to critique! You might like to try them out with your executive committee too.
I don't think one should try to give a $ value to good risk management. You end up arguing about the numbers. If the executive care about any of the questions below, the road map to get them the information they want is easy with Pelican, and they will quickly figure out whether its worth the investment - which is about 1 FTE.
- Are you being shown what the biggest threats are to your strategy for the future? (they are probably not financial)
- Are you being shown how ERM contributes to maintaining and preserving the value of the business by contributing to key decisions?
- Are you being told what your overall risk exposure is, and where it’s concentrated?
- When you need to distribute money to manage different types of risk like H&S, cyber-security, and environmental, are you provided with a clear value-for-money comparison?
- Are you being shown that your risks are being managed well? When there are any slip-ups? When a risk management strategy isn’t working?
- Are you being told if your risk level is going up or down, and why?
- Are you being shown how much you rely on third parties to manage risk?
- Is the method used to determine the capital to set aside to cover financial risk robust?
- Are you immediately informed of major changes to risk levels?
- Have you been shown that people in your organisation really think about risk, and understand which are acceptable and which are not?
- Have you been shown how cost-effective your insurance is?
- Have you been reassured that the corporate body of knowledge of experience in managing risk is preserved and shared?
Managing Director at African Bright Horison (Pty) (Ltd)
5 年The Executive committee members need to be risk owners and understand the entire risk management framework of their company well in order to answer these questions. In certain circumstances the executive committee members believed this is the responsibility of the Chief Risk Officer and therefore do not take initiative to understand risk management concepts applicable to them
Chief Risk Officer at Bank ABC
5 年One more perhaps - does the process in your organisation to set risk tolerances happen AFTER you have already set budgets and strategy?
Business Continuity and Incident Management
5 年You need a very honest, transparent and ethical leadership to respond to this questions, many times leadership is the one trying to hide their risks, thinking it shows lack of performance/ under-performance on their watch.
Take chances - intelligently
5 年I would add "Are you told what the likelihood is you will meet (these and those) targets?. Then again, I do not know if Pelican can answer that question.